1. Field of the Invention
The present invention relates to packet inspection devices and methods, and more particularly, to a packet inspection device and method for use with a packet-retrievable network apparatus to perform packet state inspection.
2. Description of the Prior Art
Transmission Control Protocol (TCP) and Internet Protocol (IP), protocols of vital importance to the Internet, enable messages to be conveyed among computers and operating environments. The messages are conveyed in the form of packets, using TCP/IP.
To transmit data by TCP, it is necessary to create a connection relation of data and TCP. The TCP layer connection starts upon transmission between two host computers a packet carrying connection control messages, inspection of TCP packet header information and state machine, sessions, and eventual connection of the sender and the receiver. Completion of connection request, connection confirmation, and connection success in sequence results in 3-way handshaking.
Quantity and complexity of attacks on the Internet is ever-increasing. The most common forms of Internet-based attacks are, namely SYN (Synchrony), SYN/ACK, and ACK (Acknowledge) DoS attack. For instance, SYN flooding attack abuses an otherwise well-functioning process: after receiving a SYN packet from the client end and then sending out a SYN/ACK packet, a server does not receive an ACK packet from the client end; the server sends the SYN/ACK packet to the client end again; and the server drops the unfinished connection after waiting for a period of time in vain. The effect of the SYN flooding attack on the process is: an overwhelmingly large number of SYN packets are sent to a server maliciously with intent to abuse the attempts undertaken by the server to maintain an extensive state of partial connection at the cost of a waste of CPU resources and memory space.
The prior art disclosed Stateful Inspection Module Architecture which involves recording the state of a packet stream, searching a packet record for data about the state of the packet stream, and determining whether an admitted packet is normal. There are three ways of data searching. First, the search is carried out from the first entry to the last entry so as to confirm presence of intended data, for example, in a linear search. Second, a tree search, for example, carrying out an AVL Tree search. Third, improvement in hardware, for example, using a supplement like a content addressable memory (CAM).
However, the prior art has the following drawbacks:
(1) Packet inspection is slow. To inspect a packet state, a record of connection is searched for by a linear search such that the time taken to carry out the search while adding a packet state and updating a packet state is proportional to that revealed in the record of connection.
(2) It occupies much memory space. A tree search is quick, but its drawback is: much memory space is occupied.
(3) It incurs high costs. Content addressable memory is conducive to quick inspection of packets and reduction of occupied memory space, but it has drawbacks, namely high costs and limited application.
Accordingly, an issue calling for an urgent solution involves providing a packet inspection device and method so as to speed up inspection of packet state, minimize occupied memory space, cut costs, and fend off malicious attacks targeted at packets on the Internet.